Is an ISP code of conduct the best way to fight botnets?

The Department of Homeland Security and National Institute of Standards and …

The Department of Homeland Security and National Institute of Standards and Technology are looking to beat back the kudzu of spam generators, distributed denial of service zombies, and other botnets, and they want your cooperation—on a totally voluntary basis, of course.

Rather than pushing for new regulations to require Internet service providers to block botnet attacks, the agencies are looking to create a voluntary "code of conduct" to govern how ISPs handle detecting and dealing with them. In a cybersecurity "Green Paper" published in June, the Department of Commerce's Internet Policy Task Force found that one of the main barriers to cracking down on botnets was that ISPs lack a mechanism for setting established common cybersecurity practices. Rather than make ISPs responsible for directly dealing with botnet infections, the approach being considered is to inform users they've been hacked.

On Wedesday, NIST issued a request for information from companies in what the agency has labeled the Internet and Information Innovation Sector (I3S) to help define the approach of the code. The agencies are also considering approaches such as the two-year-old draft recommendations of the IETF on botnet remediation, and looking at similar efforts overseas as models for the program.

One of those models is an Australian conduct code, initiated by Australia's Internet Industry Association last year in the face of a push for government regulation. Under Australia's iCode program, ISPs redirect Web requests from systems suspected of having bot malware to a website with tools to remove malware. Users discover their system has been "disconnected" when they try to use their Web browser. The iCode system now is in use by 30 ISPs in Australia, covering 90 percent of Internet users there.

Similar user-alert efforts are also underway in Japan and Germany, though they take different approaches in notification. Japan's Cyber Clean Center initiative uses "honeypot" machines installed at participating ISPs to attract and detect botnet infection attempts launched from users' systems. The ISPs then associate the IP addresses of the attack sources and send notification e-mails to their customers, as Cyber Clean Center's infographic below illustrates.

One of the major questions DHS and NIST are looking to answer is who ends up paying the tab for the US version of these programs and provides the resource center that users are directed to: a private entity, a public-private partnership, or a government agency-run organization with some input from industry. There's also concern about whether detection efforts might expose consumers' personally identifiable information. And while the approaches in Australia, Germany and Japan have focused on ISPs, NIST and DHS are trying to determine whether operating system vendors and other service providers should also be involved in a US anti-botnet program.

36 Reader Comments

It's an interesting concept. I have often wished there were a good way to notify folks of their infections; perhaps this would work. I love how it all comes down to "who's going to pay", though. Go figure, eh?

Edited to add: I wonder how long until fake "You're infected, run this" sites pop up. Wouldn't be difficult to implement, either, I suspect. Always something.

Users discover their system has been "disconnected" when they try to use their Web browser.

Wait, what? How do they claim to know the difference between the user that they're disconnecting and anyone who could be on the same network? They just wholesale cut off the account until the user finds the one computer that's infected?

I support the effort, but I doubt I would download worm-extracting executables pointed-to by a "virus alert" email. It seems _far_ to easy to create fake notifications. The same goes for the MItM HTTP redirects. What if a user on the same LAN does exactly the same (after a s/\.net/\.com/)?

Uh, yeah. I've got a dollar that says the fake anti-spyware people are going to take advantage of that as soon as they can. "Your system has been hax0red! Send us $30 to fix the problem we totally aren't responsible for!"

Uh, yeah. I've got a dollar that says the fake anti-spyware people are going to take advantage of that as soon as they can. "Your system has been hax0red! Send us $30 to fix the problem we totally aren't responsible for!"

"Notification from the US Government and Comcast, you currently have a botnet spyware malwares in your computer!

Can you imagine antisec using something like this? All they have to do is wait for an official notification to come out, and replicate whatever "watermarks" they have, and boom brand new scam variety of rich Nigerian prince who wants to give you money

So my ISP starts to "redirect" my IP because of an infected computer? Excuse me, but 250 hospital employees are all on the web behind that one IP address. Now an automated program can cut off all access for the entire hospital.

Comcast is actually already doing something like this; they direct the traffic to a captive portal internal to the Comcast network with information and tools available to assist. How good it is, I couldn't tell you, but it exists.

So I fire up my browser and try to go to www.example.com , and am redirected to a website that is most definitely not www.example.com . Instead, the page I get tells me that my computer might be infected, and I should download and install and use XYZ software to take care of the problem.

How is this any different from the situations we have been training people to explicitly distrust and run away from for years now?

So I fire up my browser and try to go to http://www.example.com , and am redirected to a website that is most definitely not http://www.example.com . Instead, the page I get tells me that my computer might be infected, and I should download and install and use XYZ software to take care of the problem.

How is this any different from the situations we have been training people to explicitly distrust and run away from for years now?

So I fire up my browser and try to go to http://www.example.com , and am redirected to a website that is most definitely not http://www.example.com . Instead, the page I get tells me that my computer might be infected, and I should download and install and use XYZ software to take care of the problem.

How is this any different from the situations we have been training people to explicitly distrust and run away from for years now?

A quick google search has failed me on this question: What is the distribution of botnets based on what operating system a user is running? I would think that Linux would be the lowest, followed by OSX because of the low market share, but how much less likely is a Windows 7 machine likely to be infected than one running XP?

So I fire up my browser and try to go to http://www.example.com , and am redirected to a website that is most definitely not http://www.example.com . Instead, the page I get tells me that my computer might be infected, and I should download and install and use XYZ software to take care of the problem.

How is this any different from the situations we have been training people to explicitly distrust and run away from for years now?

Qwest (now Century Link) has already been doing this, I was repairing an acquaintances PC a while back and any attempts to connect were redirected to a warning page about suspicious traffic or some such nonsense until I clicked a link.

So my ISP starts to "redirect" my IP because of an infected computer? Excuse me, but 250 hospital employees are all on the web behind that one IP address. Now an automated program can cut off all access for the entire hospital.

Sounds great. Where do I sign up?

Not to mention the critical hospital systems communicating patient critical lab results and other health care information over the same circuit.

They would most likely enable this through the DNS system though so if you are running your own internal DNS you probably would never know.

So my ISP starts to "redirect" my IP because of an infected computer? Excuse me, but 250 hospital employees are all on the web behind that one IP address. Now an automated program can cut off all access for the entire hospital.

Sounds great. Where do I sign up?

I assume your hospital is paying for a commercial account which I assume would automatically get different treatment but that doesn't mean the point isn't valid. I'd imagine that plenty of home connections that have routers and any number of internet connected devices that could end up being part of a bot net from multiple computers to game systems, tablets or even cell phones. Since virtually every home connection would be behind a NAT the isp has no way to tell what device is actually infected. Not to mention the possibility of some other random device temporarily being connected to the network that could be the source of the apparent infection.

The basic idea does have some merit because if we can let people know that there is an issue they can fix it. If they don't know that have an issue it won't be fixed. Unfortunately, there are also a number of problems with the idea. The frequent use of NATs makes identifying the specific machine challenging. It is also very susceptible to being impersonated as a method of infecting a computer. Identifying the machine could become much easier with deployment of IPv6 which would give each device a single public address but I don't see any easy way to deal with the impersonation risk that doesn't end up having a significant cost.

So what happens with false positives? Most people who've ever run any kind of anti-virus/malware software have something on their computer that shows up as malware even if it isn't. Does my internet connection get "redirected" until I "fix" the problem, or can I get around that somehow?

Same with multiple connections, as others have stated. If I have computer A that is infected, maybe I want to use computer B to look up information on it rather than blindly trusting whatever "fix" tools my ISP gives me.

I also second the "this is what we train people to avoid" sentiment. Make the official action look like spam? Yea, that'll definitely help the problem.

Destined for failure, but that makes it sound like the perfect solution to push through. Yay for fear-mongering!

"After a long and escalating string of high-profile attacks on government and corporate sites using botnets like the Low Orbit Ion Cannon,"

The Low Orbit Ion Cannon is not a botnet. It's annoying how many groups consider Anonymous to be just a handful of guys with virused computers in a botnet. It's much bigger then that; Anonymous works by having thousands of volunteers running the tool simultaneously to DDOS sites.

Of course, other groups, such as lulzsec, did not use volunteers. But they don't use the Low Orbit Ion Cannon either.

"After a long and escalating string of high-profile attacks on government and corporate sites using botnets like the Low Orbit Ion Cannon,"

The Low Orbit Ion Cannon is not a botnet. It's annoying how many groups consider Anonymous to be just a handful of guys with virused computers in a botnet. It's much bigger then that; Anonymous works by having thousands of volunteers running the tool simultaneously to DDOS sites.

Of course, other groups, such as lulzsec, did not use volunteers. But they don't use the Low Orbit Ion Cannon either.

Thanks, I wanted to point this out. LOIC is not a botnet, I suppose it could be used by a botnet. Not the same thing at all though.

Thanks, I wanted to point this out. LOIC is not a botnet, I suppose it could be used by a botnet. Not the same thing at all though.

That was the first thing that caught my attention in this article. They need to do more fact-checking before they publish these stories... or stop spreading false information to push a particular agenda, if that's what's going on. Given some of the comments I've read from Ars staff recently, I can't really say I'm confident in their journalistic professionalism.

If this "voluntary" policy will declare the LOIC a botnet, I don't see much of a limit to what they can disconnect you for--and under the guise of "protecting" you, too.

"We see you've recently visited Wikileaks. As you've clearly been hacked by terrorists, we've disconnected your internet until the issue is resolved. Please drop your pants, bend over, and wait for our customer service representatives to arrive. Do not attempt to run from the dogs. We are not liable for flashbang-related injuries or property damage."

It's a hard problem. They have to do something, we can't just go on letting all those old Windows XT-running infected zombies just roam around the net eating our brains. But I'm not so sure about this redirection to a disinfection web site. What if it is a false positive, and you are a small business?? Your web site could be borked by the ISP until the next time you check. Not great.

I applaud this initiative wholeheartedly. Whatever it takes to bring the axe down on botnets, spammers and scammers. However, as people have pointed out, there are problems with this implementation, such as false positives. Could a system possibly be implemented (either as an alternative or in addition to the one described) in which browsers themselves would scan web pages for malicious content using a universal standard?

I don't know how this could be done: Reroute traffic to a cloud server hosted by public/trusted entities? That might be a problem WRT privacy, not to mention funding. Local scanning? It would depend on the overhead for the local systems and on the ability to keep databases permanently updated. Also, malware detection vendors would be up in arms if that came about.

As it is, I think disconnecting infected computers - so long as the detection is something like 99% accurate - is an improvement over the current situation.

[EDIT] Maybe IPv6 could allow true 1:1 addressing? If each system has a unique address, it could exclude false positives for computers behind a NAT, no?

Here's one problem with the redirects: You just know that the ISPs will try to spin it to their favor. If ISP's are allowed to redirect supposedly infected computers, why can't they do the same for mistyped Internet searches? All they're doing is keeping their customers safe...

If it comes down to the ISP's redirecting/informing they should offer the chioce. It should be transparent for companies (in the hospital example and so it doesn't effect commerce). It should be an option for the consumer but not madatory. The notifications via email should be madatory and as detailed as possible (with an option to send to multiple addresses in the consideration to IT departments). From a recognizable email address to a recognizable web site secured with https (my 70 year old grandparents understand the concept) with a capatcha so if you need access you're not cut off till you remove the bot.

If it was similar to the idea I stated I wouldn't disable it. I have two machines that are always on and three other computers in the house. Aside from safe internet usage or malware detectors most consumers are not going to have a network monitor to see their network traffic so it may be a good opition to notify customers of breaches and cripple the bots.

If they they make it a burden they'll fail. As for who picks up the bill? The ISP's. They don't need to roll around in that many 100$ bills. Anyways they claim it costs millions of dollars to send pictures of cats the the house down the street they would be catching a free ride since traffic will be cut down some.

Better system. When a hacked computer is detected, a command is sent to the offending unit to format it's own system drive. Anyone stupid enough to not protect their computers doesn't deserve to be on the Internet.

Homeland Security.... Yeah, that's a name many people find synonymous with "success"

Well, on the one hand, they are finding and shutting down bot nets.

On the other hand, they're laughing at how small someone's penis is when they x-ray them at the airport.

"Carry on, Citizen."

SIDE NOTE ... if this was really something viable, you'd think the ISP industry would have cobbled together something to do it by now w/o gov't intervention. Big telco spends all this time packet-sniffing peep's comps. Let them packet-sniff out malware-infested comps, and let customers know. Do some good for once, and maybe it'll help us justify why you're sniffing all our packets.

Problems with "Your computer is infected! Download this and give us money to fix it!" are easy to predict, but It doesn't have to be that hard to solve, just put the fix out-of-band of the problem.

For example, block internet access with a warning that your computer is/could be hacked, and please call your provider. No link, no downloads, no phone number, nothing. (Possibly a one-time-use code for computer identification.) Check a copy of your bill for the phone number, or use a phone book. They tell you the information they already have on file to confirm everyone is who they should be, and then you can move on to finding the problem. You already have them on the phone for some basic troubleshooting, or tracking down what box is the problem.

How about a big red light and annoying beep every few seconds, to indicate a botnet detection? Build it into consumer level modems.

If equipment starts beeping annoyingly, as a consumer, I would call whomever I got that equipment from. I don't know how much control ISPs have over their modems, but from what I have seen, Comcast could easily push out a firmware update to a specific modem to turn turn features on and off.

Business users (or anybody who knows enough to purchase their own modem) need not be bothered.